3

我是aws的新手。我想为 aws 调用生成临时凭证。为此,我使用了Making Requests Using IAM User Temporary Credentials - AWS SDK for Java中的示例

我经过的地方

String clientRegion = "<specific region>";
String roleARN = "<ARN from role>";
String roleSessionName = "Just random string"; //<-- maybe I should pass specific SessionName?
String bucketName = "<specific bucket name>";

当尝试扮演角色时

stsClient.assumeRole(roleRequest);

得到一个错误

com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException:用户:arn:aws:iam:::user/ 无权执行:

sts:AssumeRole on resource: arn:aws:iam::<ID>:role/<ROLE_NAME> (Service: AWSSecurityTokenService; Status Code: 403; Error Code:

拒绝访问; 请求 ID:)

我有一个认知角色。我认为角色信任关系设置中的问题。它看起来像这样:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<iam user ID>:user/<USER_NAME>",
        "Federated": "cognito-identity.amazonaws.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "cognito-identity.amazonaws.com:aud": "<user pool ID>"
        },
        "ForAnyValue:StringLike": {
          "cognito-identity.amazonaws.com:amr": "authenticated"
        }
      }
    }
  ]
}

用户政策(此用户政策也附加到此角色):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "<sidId1>",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::<path>*"
            ]
        },
        {
            "Sid": "sidId2",
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole",
                "sts:AssumeRoleWithWebIdentity"
            ],
            "Resource": [
                "arn:aws:iam::<ID>:role/<ROLE_NAME>"
            ]
        }
    ]
}

用户策略有两个警告:

在此处输入图像描述 我做错了什么?

UPD 我改变了角色信任关系,只需删除条件

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "cognito-identity.amazonaws.com",
        "AWS": "arn:aws:iam::<ID>:user/<USER>"
      },
      "Action": [
        "sts:AssumeRole",
        "sts:AssumeRoleWithWebIdentity"
      ]
    }
  ]
}

现在Access denied错误发生在另一行代码上:

  // Verify that assuming the role worked and the permissions are set correctly
  // by getting a set of object keys from the bucket.
  ObjectListing objects = s3Client.listObjects(bucketName);

收到错误响应:com.amazonaws.services.s3.model.AmazonS3Exception: Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: ), S3 Extended Request ID:

4

1 回答 1

0

To be able to assume to an IAM Role, simply the IAM Role assume role policy or trust relation must explicitly allow the principal assuming role into it, which in this case it didn't. It permitted sts:AssumeRoleWithWebIdentity with some conditions which didn't apply to your case.

About the other error, as mentioned by the @user818510 your role doesn't have permission to s3:ListBucket action.

于 2021-12-10T15:57:30.640 回答